{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/microvm/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Amazon Bedrock AgentCore","AWS Code Interpreter"],"_cs_severities":["high"],"_cs_tags":["cloud-security","aws","bedrock","privilege-escalation","credential-access","microvm","code-interpreter"],"_cs_type":"advisory","_cs_vendors":["Amazon"],"content_html":"\u003cp\u003eAttackers are exploiting vulnerabilities within AWS Code Interpreter microVMs to exfiltrate temporary credentials from Amazon Bedrock AgentCore execution roles. Normally, these roles are restricted to interacting with Bedrock inference, AgentCore data-plane, and observability services like CloudWatch Logs, X-Ray, and CloudWatch metrics. Public research highlights a string-filter bypass that allows an attacker to steal these credentials via the instance metadata service (IMDS). Once exfiltrated, these compromised credentials enable attackers to perform unauthorized AWS API calls to services such as STS, EC2, IAM, or Secrets Manager. This activity, logged under the legitimate AgentCore execution role's identity in CloudTrail, signals malicious reconnaissance, privilege escalation, or lateral movement within the AWS environment, making detection of the first anomalous service call crucial for defense.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker compromises an Amazon Bedrock AgentCore's Code Interpreter microVM, likely by exploiting a string-filter bypass vulnerability within the sandbox environment.\u003c/li\u003e\n\u003cli\u003eThe attacker abuses the compromised microVM's access to the instance metadata service (IMDS) to retrieve temporary AWS credentials for the AgentCore execution role.\u003c/li\u003e\n\u003cli\u003eThe attacker successfully exfiltrates these temporary AWS credentials, associated with the AgentCore execution role, from the microVM sandbox.\u003c/li\u003e\n\u003cli\u003eThe exfiltrated credentials are then used to make unauthorized AWS API calls to services outside the AgentCore's normal operational scope, such as \u003ccode\u003ests:GetCallerIdentity\u003c/code\u003e, \u003ccode\u003eec2:Describe*\u003c/code\u003e, or \u003ccode\u003eiam:List*/Get*\u003c/code\u003e for reconnaissance.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages these stolen credentials to attempt privilege escalation (e.g., \u003ccode\u003ests:AssumeRole\u003c/code\u003e, \u003ccode\u003eiam:Put*/Attach*\u003c/code\u003e) or achieve lateral movement to other AWS resources and accounts.\u003c/li\u003e\n\u003cli\u003eThe successful abuse results in unauthorized access to sensitive data, modification of AWS resources, or further deep compromise of the cloud environment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful exfiltration and abuse of AWS Bedrock AgentCore execution role credentials can lead to significant unauthorized access within an organization's AWS environment. Attackers can perform extensive reconnaissance, gain elevated privileges, and move laterally across various AWS services. This allows them to access sensitive data, modify critical configurations, deploy additional malicious resources, or disrupt operations. The compromise can impact a wide range of AWS-dependent applications and services, leading to data breaches, service outages, and potential financial and reputational damage. The broad access afforded by assumed roles means that the blast radius of such an incident can be substantial, affecting multiple cloud accounts or entire organizational infrastructure.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;AWS Bedrock AgentCore Execution Role Used Outside Its Runtime\u0026quot; to your SIEM and tune for your environment to detect anomalous API calls.\u003c/li\u003e\n\u003cli\u003eReview the \u003ccode\u003eaws.cloudtrail.user_identity.session_context.session_issuer.arn\u003c/code\u003e and \u003ccode\u003eevent.provider\u003c/code\u003e fields for any triggered alerts and investigate the legitimacy of the activity.\u003c/li\u003e\n\u003cli\u003eRestrict Bedrock AgentCore execution roles to the principle of least privilege, ensuring they only have access to necessary services and actions.\u003c/li\u003e\n\u003cli\u003eConfigure AWS Code Interpreter microVMs to use VPC network mode where possible and ensure the instance metadata service requires session tokens to mitigate credential exfiltration risks.\u003c/li\u003e\n\u003cli\u003eIf unauthorized activity is confirmed, immediately revoke the affected execution role's active sessions and rotate any associated secrets.\u003c/li\u003e\n\u003cli\u003eRefer to the provided references from Sonrai Security and Palo Alto Networks Unit 42 for further details on string-filter bypasses and sandbox escapes.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-17T06:32:41Z","date_published":"2026-07-17T06:32:41Z","id":"https://feed.craftedsignal.io/briefs/2026-07-aws-bedrock-agentcore-cred-abuse/","summary":"Anomalous AWS API calls by an Amazon Bedrock AgentCore execution role indicate potential credential exfiltration and abuse for cloud privilege escalation, lateral movement, or reconnaissance outside its intended runtime environment.","title":"Abuse of AWS Bedrock AgentCore Execution Role Credentials for Cloud Privilege Escalation","url":"https://feed.craftedsignal.io/briefs/2026-07-aws-bedrock-agentcore-cred-abuse/"}],"language":"en","title":"CraftedSignal Threat Feed - Microvm","version":"https://jsonfeed.org/version/1.1"}